|
FortiAnalyzer Event Handler has an option to send an alert to trigger an automation stitch on FortiGate.
The following steps explains the sequence that makes this happens.
- Logs are generated on FortiGate then sent to FortiAnalyzer.
- Event Handlers has a set of rule/conditions to review specific log fields, if those conditions are met, The Event Handler is fired.
- FortiAnalyzer then sends a request to FortiGate through https to notice FortiGate that the Automation Stitch needs to be executed.
- The Automation Stitch on FortiGate is then triggered to perform a pre-configured action.
Troubleshooting:
The following debug commands can be run on FortiAnalyzer and FortiGate to provide more insight on what is happening in the background.
FortiAnalyzer Commands:
diag debug app oftpd 255 <FortiGate_Name>
diag debug enable
FortiGate Commands:
diagnose debug reset
diagnose debug application httpsd -1
diagnose debug app autod -1
diagnose debug enable
By reviewing the HTTPS Debug output on FortiGate, the following error can be observed:
[httpsd 20951 - 1713376416 error] generate_event[893] -- Administrator does not have permission to generate this log: security-event
[httpsd 20951 - 1713376416 warning] api_return_http_result[1275] -- API error 403 raised
The reason for this error is that FortiOS no longer supports username/password authentication to FortiAnalyzer.
Certificate authorization has to be used for the FortiAnalyzer to request through OFTP daemon.
Navigate to Fabric Connectors -> Logging & Analytics -> Edit.
Enable 'Verify FortiAnalyzer certificate' and Select OK.
Upon enabling the feature, a Certificate Authorization prompt will appear. Select Accept.
Restart both daemons involved between FortiGate and FortiAnalyzer:
FortiAnalyzer : diag test app oftpd 99
FortiGate : fnsysctl killall httpsd
If both of these commands do not work, reboot both FortiAnalyzer and FortiGate with the following command on each:
execute reboot
|
